Analysis

A 3AM ransomware affiliate is executing highly targeted attacks employing sophisticated social engineering, including email bombing and spoofed IT support phone calls, to coerce employees into granting remote access to corporate systems. This methodology, previously associated with groups like Black Basta and FIN7, is seeing wider adoption due to its proven effectiveness, further amplified by leaked operational playbooks from actors like Black Basta. Sophos reported at least 55 such attacks between November 2024 and January 2025. A specific Q1 2025 incident targeting a Sophos client involved attackers spoofing the client's IT department phone number, inducing an employee to authorize Microsoft Quick Assist access. The attackers then utilized a QEMU emulator with a QDoor backdoor to evade detection and exfiltrated 868 GB of data to Backblaze cloud storage using the GoodSync tool. Despite Sophos's security products preventing lateral movement and the final 3AM ransomware encryption on the compromised host, the significant data theft occurred within the first three days of a nine-day intrusion. This highlights the severe risk posed by data exfiltration, even when some endpoint defenses hold, and demonstrates attackers' capability to misuse legitimate tools for malicious purposes. The attackers also performed reconnaissance using WMIC and PowerShell, created local admin accounts, and installed commercial RMM tool XEOXRemote.